Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VACL not working

I'm trying to secure a VLAN using VACL on a 6509 CatOS 5.4(1) and it doesn't work. I have created a MAC ACL, based on the source host mac and ANY as the destination, example:

set security acl mac test permit host 00-01-02-03-04-05 any

There are 16 ACE's.

I have comitted the ACL and mapped it to a VLAN. As I understand all frames being forwarded in this VLAN will first be checked against the VACL and if theres a match it will be forwarded. But it doesn't work!! A port in the VLAN is connected to another switch and on that switch there are some clients that I want to have access and the rest needs to be denied access. WIth the above config I haven't put my notebook MAC and connecting it to the VLAN in the same VLAN I still have access... Which indicates that the VACL does not work. The VLAN is not routed with the MSFC. I need to use a MAC VACL because of tighter access control.

I haven't used port security because it doesn't support highavailability on redundant supervisors. And VACLs are supported with highavailability.

I have checked the release notes for newer versions and looked in the bug tool and I can't find any issues with MAC VACLs. I know that the CatOS version is quite old but unless there is a specific issue with VACLs or other we can survive on this version.

If you have any coments/advise please elaborate.

Thank you.

New Member

Re: VACL not working

See this reference:

IP traffic and IPX traffic are not access controlled by MAC VACLs. All other traffic types (AppleTalk, DECnet, and so on) are classified as MAC traffic and MAC VACLs are used to access control this traffic.

New Member

Re: VACL not working

So as I understand it, it is not possible to use a MAC ACL as a filter for any kind of traffic except Appletalk, DECnet etc. like you could do with port security? Which I can't use... So I have to use IPs... hmmm. Ok. I'll look for another solution. Thanks

CreatePlease login to create content